Predator and CL could not provide any possible suspects.
Using the code search for the file, “PaintWorklet.cpp” assigning to concern owner from GIT blame.
Suspecting Commit#
https://chromium.googlesource.com/chromium/src/+/b6d27042dd93aabdddcdddddffefe6a0f7d3a7a1

@xidachen  -- Could you please look into this issue, kindly reassign if it has nothing to do with your changes.
Thank You.

pnangunoori@: I cannot repro this with 64.0.3270.0, maybe it has been addressed, could you verify?

mmoroz@, can you please look into c#2? If it is already fixed on trunk, CF should have added 'CF-Verified' label?

Interesting. I don't see "Last tested stacktrace", so I kicked off Progression task manually. Let's see whether it detects a fix or shows us any error.

LAST TESTED STACKTRACE ON REVISION 518715 (176 LINES)

The issue still seems to be reproducible.

mmoroz@: I cannot repro this with tip-of-tree code. Could you provide more info.
1. What are the gn args used for build?
2. Are you running content_shell or chrome?
3. Are there any command line args when running chrome or content shell.

The easiest way to reproduce a crash is to use the reproduce tool, please see the following text of ClusterFuzz testcase page:

You can reproduce this crash painlessly with our reproduce tool. For Googlers, install the required libraries and run prodaccess && /google/data/ro/teams/clusterfuzz-tools/releases/clusterfuzz reproduce 5028642190262272. For non-Googlers, see the installation section. Report any issues at clusterfuzz-dev@chromium.org.


1) ctrl+F "GN CONFIG (ARGS.GN)" on the ClusterFuzz testcase page

2, 3) If you expand the stacktrace on the ClusterFuzz testcase page, you'll see the command used as well as environment variables that are important in some cases:

/mnt/scratch0/clusterfuzz/slave-bot/builds/chromium-browser-asan_linux-release_4392242b7f59878a2775b4607420a2b37e17ff13/symbolized/release/asan-linux-release-514498/content_shell --user-data-dir=/mnt/scratch0/tmp/user_profile_0 --run-layout-test --dump-render-tree --use-gl=swiftshader --enable-experimental-web-platform-features --disable-in-process-stack-traces --enable-logging=stderr --v=1 --enable-features=V8Future /mnt/scratch0/clusterfuzz/slave-bot/inputs/fuzzer-testcases/fuzzer-testcases/fuzz-00474.html
[Environment] ASAN_OPTIONS = redzone=128:symbolize=0:handle_sigill=1:handle_segv=1:use_sigaltstack=1:strict_memcmp=0:allow_user_segv_handler=0:coverage=0:allocator_may_return_null=1:fast_unwind_on_fatal=1:handle_sigfpe=1:handle_sigbus=1:detect_stack_use_after_return=1:alloc_dealloc_mismatch=0:detect_leaks=1:print_scariness=1:max_uar_stack_size_log=16:handle_abort=1:check_malloc_usable_size=0:detect_container_overflow=1:detect_odr_violation=0:malloc_context_size=128:print_summary=1


But again, to avoid that manual work, the reproduce tool can do it for you :)


ClusterFuzz also says that it's flaky and not reproducible anymore. I've kicked off Progression and Fixed tasks, let's see if CF's resolution changes.

Closing this bug as I can not repro locally, and that clusterfuzz says it is not reproducible.